add more DLLs to preload list to prevent DLL sideloading attacks

kjk · claude · kjk · commit c894f00963c3 · 2026-04-13T23:45:29.000+02:00
A crash report showed a malicious DWrite.dll planted next to
the portable exe, executing shellcode via DLL search order hijacking.
Preload all late-loaded DLLs from System32 to block this vector.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/utils/WinDynCalls.cpp b/src/utils/WinDynCalls.cpp
@@ -202,7 +202,14 @@ HRESULT SetCaptionColor(HWND hwnd, COLORREF col) {
 }; // namespace dwm
 
 static const char* dllsToPreload =
-    "gdiplus.dll\0msimg32.dll\0shlwapi.dll\0urlmon.dll\0version.dll\0windowscodecs.dll\0wininet.dll\0";
+    "gdiplus.dll\0msimg32.dll\0shlwapi.dll\0urlmon.dll\0version.dll\0windowscodecs.dll\0wininet.dll\0"
+    "DWrite.dll\0TextShaping.dll\0textinputframework.dll\0"
+    "WINTRUST.dll\0MSASN1.dll\0imagehlp.dll\0CRYPTSP.dll\0rsaenh.dll\0CRYPTBASE.dll\0"
+    "bcryptPrimitives.dll\0kernel.appcore.dll\0MSCTF.dll\0"
+    "CoreMessaging.dll\0CoreUIComponents.dll\0WS2_32.dll\0wintypes.dll\0"
+    "ntmarta.dll\0clbcatq.dll\0profapi.dll\0PROPSYS.dll\0MrmCoreR.dll\0"
+    "thumbcache.dll\0VCRUNTIME140.dll\0sendmail.dll\0policymanager.dll\0"
+    "msvcp110_win.dll\0CFGMGR32.dll\0";
 
 // try to mitigate dll hijacking by pre-loading all the dlls that we delay load or might
 // be loaded indirectly
